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Abstract 


Time and frequency data are often transmitted over public packet-switched networks y and the 
use of this mode of distribution is likely to increase in the near future os high-speed logical circuits 
transmitt ed via networks replace point-to-point physical circuits. Although these networks have 
many technical advantages, they are susceptible to eavesdropping, spoofing, and the alteration of 
messages enroute using techniques that are relatively simply to implement and quite difficult to 

detect. . 

I will discuss a number of solutions to these problems, including the authentication mechanism 

used in the Network Time Protocol (NTP) and the more general technique of signing time-stamps 
using public-key cryptography. This public-key method can also be used to implement the digital 
analog of a Notary Public, and I will discuss how such a system could be realized on a public 
network such as the Internet . 


INTRODUCTION 

Time and frequency transmissions — both the signals themselves and the interchanges of data 
that form the basis for national and international coordination - are generally transmitted with 
only moderate security and only cursory authentication. Although this openness has served 
us well up until now, the increasing importance of time and frequency information in many 
areas ranging from synchronous communications to the coordination of access to distributed 
databases means that the disruption of a time service may be very serious and costly. In 
addition, the continuing problems posed by computer viruses and worm programs should teach 
us that attacks on networks and computer systems are not necessarily motivated solely (or 
even primarily) by financial gain, and that attacking an important and visible system might be 
considered a challenge, and “just because it’s there” could be enough of a motivation. It is 
important to begin now to consider how the security of our transmissions can be improved 
before any of our systems comes under a determined attack. 

Jamming transmissions or cutting cables may have serious consequences by denying service to 
a particular group of users, but the effects tend to be localized and relatively easy to detect 
— even if correcting the problem can be both arduous and expensive. Data modifications that 
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do not produce obvious disruptions or degradations are potentially much more serious. These 
changes are not readily detected; in the worst case the corrupted transmissions may be accepted 
as genuine for some time. 

The various methods for protecting and authenticating data that I will discuss fall into two 
broad categories — methods that are intended to insure the integrity of existing time signals or 
data transmissions and methods that are potentially useful as ends in themselves in protecting 
or authenticating other kinds of time-sensitive messages and transactions. 


SINGLE-KEY ENCRYPTION 

The simplest way of protecting data is to add some form of check-sum to it and then encrypt 
either the complete message or just the checksum. Only someone who knows the key can 
alter the data without invalidating the original checksum. There are any number of methods 
that can be used for this purpose, including those that effectively “chain” messages together to 
prevent adding spurious messages or replaying older valid onesril. 

There are a number of technical difficulties with this system, including devising robust methods 
for dealing with noisy channels and lost messages, but the most serious practical difficulty 
is probably the distribution of the encryption and decryption keys. Whether these keys are 
implemented in software (using passwords or phrases) or in hardware (using an artifact such 
as a magnetic card), distributing keys requires a substantial investment of people and money 
and is probably never as secure as the advocates of such systems would claim. 

In spite of these practical difficulties, the Internet-based Network Time Protocol (NTP) supports 
optional authentication and validation using single-key encryption PI. When this mode is enabled, 
the transmitter of an NTP message computes an authenticator derived from the message itself 
and a secret key using the Data Encryption Standard (DES) in a mode similar to the “block- 
chaining” method specified by NISTPJ. The resulting checksum is then appended to the end 
of the message together with an integer specifying which of several possible keys has been 
used to compute it. The relationship between this integer and the actual key value must be 
sent to each receiver via an external, unspecified, secure channel. The receiver validates the 
message by repeating the same procedure and comparing the checksum it has computed with 
the value received in the message PI. Although the DES standard defines both an encryption 
and a decryption algorithm, the decryption algorithm is not used by NTP so that the same 
software can be used at both ends. Furthermore, while both transmitter and receiver must use 
the same algorithm to authenticate the time packets, there is no reason why it must be the 
Data Encryption Standard, and the later versions of NTP support authentication using either 
DES or a variant of an algorithm called MD5P1. 

In addition to the usual problems associated with distributing and maintaining the key database, 
authentication may degrade the accuracy of time-stamps transmitted using the NTP protocol. 
The checksum must be computed after the entire message has been constructed, and it therefore 
inevitably delays the transmission of the packet by an amount that depends on the speed of 
the processor and on its load. This delay appears as an increase in the out-bound network 
transit-time; depending on the mode of the association, there may be no corresponding in- 
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bound delay to preserve the symmetry. It is possible to make an approximate correction for 
the time needed to compute the checksum by inserting an estimate for this time into the NTP 
configuration file, so that the problem introduced by the authentication is due not so much to 
the delay it introduces, but to the unmodeled fluctuations in this delay caused by changes in 
load and similar factors. 

Although this authentication method can be used by a private network of machines exchanging 
time messages only among themselves, it cannot be used to authenticate packets from a 
machine that is publicly available, such as the NIST primary time server. (The authentication 
in this case is only for the benefit of the client machines — the server itself has no need for 
authentication since it is synchronized to UTC via external means and does not accept network- 
based synchronization information.) The key used by the receiver to verify the authenticity of 
a packet is the same as the key used by the transmitter to produce it, so that the key used by a 
primary server must be widely known if the authenticity of its time packets is to be verified by 
its clients. But once the key is widely known, numerous other machine can use it to generate 
“authentic” packets as well, so that its use provides little or no security. In practice, therefore, 
the authentication scheme incorporated into NTP is only useful in validating transmissions 
among a group of peers which are under the control of a single management entity. 

The NTP protocol also supports an authentication mechanism based on the Internet address 
of the time source — a machine can be configured to accept information only if the network 
address of the source matches one of the entries in an internal table l 4 l. Although the time 
needed for this check can be made outside of the primary packet-exchange loop so that it does 
not degrade the transit-time estimate, the procedure can be quite lengthy if many addresses 
must be examined. As a consequence, this procedure is useful to safeguard a relatively small 
group of machines. It does not provide fool-proof protection even in this case because of the 
increasingly common practice of “ip-address spoofing.” 

DUAL-KEY ENCRYPTION 

Dual-key encryption (often called public-key encryption) is designed to overcome some of the 
problems with conventional single-key methods that I discussed in the previous section. A 
dual-key system uses two different keys (and usually two complementary procedures as well) 
to perform encryption and decryption. These ideas can be realized in a number of different 
ways, but all of them share the same basic properties!*!. A message, M, is encrypted using an 
encryption key e and an encryption procedure E to produce a cipher text C. Thus 

C = E(e,M). (1) 

There exists a decryption procedure D and a key d so that applying them to the cipher text 
recovers the original message: 


M' = D(d,C), 


( 2 ) 
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where M' is identical to M if and only if the key d is the cryptographic inverse of the key e. 
As with most cryptographic systems, the procedures E and D are well known; the security lies 
in the choice of the keys e and d. Although the two keys must be related mathematically, 
it is computationally infeasible to compute one from the other in any finite time. Different 
algorithms realize this secret linkage differently: in some cases the keys are the prime factors 
of a very large number, and the security rests on the difficulty of computing such factors. In 
other systems, the linkage is realized through discrete logarithms modulo a large integer, and 
the security comes from the difficulty of inverting such procedures. 

The dual-key system may be used in two different ways. If the encryption key is made public 
and the decryption key kept secret, then anyone can encrypt a message, but only the holder 
of the secret key can read the resulting cipher text. This configuration could be used to 
encrypt electronic mail messages or data transmissions, for example, so that only the intended 
recipient could read them! 7 !. If, on the other hand, the encryption key is kept secret and 
the decryption key is made public, then only the holder of the key can encrypt a message 
but anyone can read it. The existence of the encrypted text authenticates the authorship of 
the corresponding plain-text message, because only the holder of the secret key could have 
computed the encryption. There is no need to archive the message or the cipher text — the 
authentication can be verified by anybody, since both the decryption algorithm and the key are 
publicly known. Displaying the two versions is then a form of “digital signature” — the holder 
of the secret key can use the display as proof of authorship, and a third party can use the 
display to prevent the message from being repudiated. (Preventing a valid message from being 
repudiated by its author often has important legal and commercial applications 1*1 .) Although 
I would focus on the authentication aspects of a digital signature in the current discussion, 
both the encryption and authentication functions would be useful in the time and frequency 
business. 

The dual-key system changes the problems associated with distributing the keys, but it does 
not eliminate them. The secret key must remain secret, of course, but the more difficult issue 
is insuring that the public key, which must be widely available by definition, is not altered 
surreptitiously. A random alteration is the digital equivalent of jamming a radio signal — it 
may break the system locally, but is relatively easy to detect. Altering the public key so that it 
is the inverse of another private key is a more serious problem. If a third party with malicious 
intentions can manage to replace the legitimate public key with one that is the complement 
of his own private key, then a variety of more sophisticated attacks becomes possible, at least 
some of which have been discussed in the literature!®!. One way to address this problem is 
to have a central trusted repository for the public keys, but this simply pushes many of the 
problems we have been discussing into the design of this repository — it must be very secure 
and robust because it will become both an attractive target to attack and a single point of 
failure. The methods it uses to authenticate its responses to legitimate requests for public keys 
must be carefully studied as well to minimize the probability of undetected spoofing. 

Dual-key systems operating in the “digital signature” mode can provide a mechanism for 
authenticating time signals in principle, but there are a number of practical difficulties that have 
prevented their widespread use. The key distribution problems discussed above are a significant 
difficulty. In addition, the time needed to compute the digital signature may significantly affect 
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the accuracy of the transmissions. The computations are much more intensive than those 
required for single-key methods, and computing a signature may take an appreciable fraction 
of a second — even on a fast processor with optimized code. As with single-key methods, 
the average delay introduced by the computation could be estimated and a correction for 
it could be incorporated into the software, but the load fluctuations are likely to be more 
important because the correction itself is significantly larger. Furthermore, the complexity of 
the calculations can place a heavy load on a primary time server, which may have to respond 
to more than 10 requests/second during peak load. 

A DIGITAL TIME-STAMP SERVICE 

There are many situations where it is important to be able to prove that a document in digital 
format existed on a certain date and time in its current form. Examples include the disclosure 
of inventions, and many business transactions where time is a factor. The digital-signature 
algorithms can be combined with time signals in digital format to provide a publicly available 
time-stamp service for such documents that has many of the features of a Notary Public. In 
addition, the digital time-stamp service has a number of features that are not available with 
a traditional Notary including authenticating “documents” that are not text at all (such as a 
digitized photograph, a musical composition, or a compiled computer program) and providing 
authentication for a document without the need for revealing its contents to the authenticating 
authority. 

The general principles of this system are derived from the dual-key cryptography discussed 
above: The document to be signed is submitted to a timing laboratory such as NIST; the 
NIST server adds a time-stamp and then signs the result using its private key; the resulting 
compound document can be verified by anyone who has ihe corresponding public key without 
involving NIST at all — only the public key and the appropriate algorithm are required. The 
mathematics underlying the signature algorithm guarantees that the document, the time-stamp, 
and the signature originated from NIST and that neither the document nor the time-stamp 
could have been altered without invalidating the signature. Since the signature is an explicit 
function of the compound document, neither it nor the time-stamp can be reused on another 
document. Finally, the authentication of a signature can be performed independently of the 
original signatory and there is no need for a central repository of signed documents. 

The basic design would not necessarily detect a “replay” attack in which a valid document is 
re-transmitted a second time. If such attacks are a concern (as they might be with the message, 
“Deposit $100 to my account ...”) then simply adding sequence numbers to each message will 
detect the second message as a duplicate. 

This general procedure can be strengthened and generalized in a number of important ways: 

1. Using a technique known as “hashing” it is possible to eliminate the need to submit the 
document itself to the signature authority. A “hash” function is a one-way function that 
accepts a digital string of characters and computes a fixed-length output value based on 
the entire string. The check-sum characters often used in digital transmissions and the 
last character of the numbers used to identify products to a supermarket scanner ate 
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simple examples. The hash computation is a unique function of its input in the sense 
that changing any character of the input changes the hash, but it possesses no inverse — 
the input cannot be constructed knowing the hash output except by trial and error. Since 
the hash function is a unique function of its input, signing it is equivalent to signing the 
original, with the advantage that the original is not limited to printable text but can be 
a digitized photograph, a digital recording or any string of digital numbers. The exact 
contents need not be revealed to the signature authority. As a result, the hash values can 
be transmitted over insecure public channels so that the digital signature system can be 
implemented using ordinary electronic mail. 

2. If the system that receives the messages and adds the time-stamp is also a time-server 
for the network, then the accuracy of its time can be verified at any time (using NTP, for 
example) independently of the signature algorithm. The NIST time-servers, for example, 
receive 50000+ requests for time every day, so that any attempt to alter the time used 
for the stamping process would be widely detected almost immediately. 

3. The security of the system ultimately depends on the security of the private key used to 
sign the documents. If this private key is stored on the machine that is visible on the public 
network, then a successful network-based attack on this machine might reveal the secret 
key and compromise the entire system. This problem can be addressed by storing the key 
on a second “back” machine that is connected to the time-stamp machine via a private 
link that is not visible from the network. The two functions of signing and time-stamping 
are divided in this configuration, with the front machine adding the time-stamp and the 
back machine computing the signature. While the time-stamp machine must operate in 
“real time” signing documents as soon as they arrive, the back machine that computes 
the signature does not have this requirement. It can operate in a batch mode at discrete 
intervals, taking messages from an input queue on the front machine and returning them 
to an output queue there. The signed messages on the output queue can be returned to 
the sender or can be forwarded to a third party as required. 

4. The concept of using two machines can be generalized to improve the reliability of the 
system by constructing several “front” and several “back” machines. The various “front” 
machines might accept messages in a number of different formats including electronic 
mail, scanned images, and binary digital files of unspecified format. 

As in the previous discussion, the overall structure can be realized using a number of different 
algorithms, both in the computation of the hash function and in the actual signature process 
itself. The modular nature of the procedure makes is relatively simple to change to a new 
algorithm without breaking the overall system. 


CONCLUSIONS 

The increasing use of public packet-switched channels to transmit time and frequency signals 
and data raises concerns that these transmissions may be intercepted or modified by third parties 
with malicious intent. We have discussed a number of ways of safeguarding and authenticating 
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messages sent over public networks; none of them is widely used at this time and all have 
some practical drawbacks. In addition to the issues we have already discussed, some of the 
algorithms are proprietary and can only be used with a rather expensive license and others 
are considered sensitive and cannot be exported outside of the US without a special export 
license!*!. 

The experiences of the PC and Internet communities is that financial gain is not necessarily the 
only motive for attacking network-based services. Given these experiences, it is probably only 
a matter of time before a serious assault is attempted. It is probably useful to begin to think 
about these issues now while we can do so without the threat of an imminent network-based 
attack hanging over our deliberations. 

As more and more documents are transmitted and stored in digital format, there will be an 
increasing need for the digital equivalent of a Notary Public. The public-key algorithms that 
we have discussed can be combined with precise digital time signals to realize such a system at 
only modest cost. 
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Questions amd Answers 

GERARD PETIT (BIPM): Just a remark: I’m glad to let you know that you have already 
taken steps to prevent scrambling of our missages. We send that to USNO by fax. 

JUDAH LEVINE (NIST): Yes, I know. And we get it by regular mail as well. I understand 
that you are not totally susceptible to E-mail transport. But that’s an example, it’s not the only 
example, there are problems. For example, we put our data on STP side, and anybody can get 
it. And many other laboratories go through the same thing. 

KENNETH E. MARTIN (BONNEVILLE POWER ADMINISTRATION): I wonder, 
it seems like people that are be going to be doing mischief, that you might have, you know, 
kind of the basic idiot level who couldn’t do anything on the network anyway because they 
don’t understand it, that kind of technology; but then you’ve got more and more sophisticated 
people that might want to do you damage clear up to the point of, let’s say, a disgruntled 
insider; it seems like you might be creating a very elaborate system for a nonexistent segment 
there to protect yourself. In other words, you still have the possibility of some insider that 
could be changing your things because they’re unhappy about something; and there’s nothing 
you can do about that. 

JUDAH LEVINE (NIST): I agree with the premise that insiders are very difficult to deal 
with. I don’t necessarily agree that there’s nothing you can do. There are strategies, which 
I obviously haven’t talked about; there are strategies which can begin to address the concept 
of insiders in which, while an insider can do something, they leave a trail which points back 
to them, in which there is a unique key which you’ll have to have to enter before you can do 
anything, and that key is associated with you, and so on and so on. 

The answer is ‘yes, that’s a serious problem.’ The question of what the probability of outsiders 
is is hard to know; I can’t tell you what the probability is; I can only point to history in saying 
that a lot of people have gone to a lot of trouble to destroy PC’s of the people that they don’t 
know. That’s my only comment. 

1ST LT. OMAR M. NAMOOS (USAF): Are there reasons that NSA — I don’t know 
much about encryption, but I know that NSA doesn’t recognize the DES standard as good for 
secure communications or securing information. And, are there reasons that that’s the case? 
Is it maybe a vulnerability of the DES system that makes it more susceptible than you say? 

JUDAH LEVINE (NIST): The answer to those kinds of questions is those who know, don’t 
say and those who say, don’t know. So with that as a prefix, there are rumors that the DES 
algorithm can be broken and that the NSA knows how to break it. Whether that’s true or not 
is — perhaps it is, perhaps it isn’t. 

In the open literature, there are proposed attacks on the DES algorithm. None of them works 
in the finite time against a full-blown algorithm, the full 16-round algorithm. Whether there 
are secret attacks that people don’t know about, I don’t know. I’m an unclassified kind of guy. 
And the classified guys won’t tell you. So, there it is. 
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